System came to me with a variant of the ICE Ransomware infection. I pulled the hard drive, slaved to a Malware removal VM, and away I went. I removed 28 infections on the first pass. The system could be clean at the moment, but it's hard to say because the OS has been damaged a bit.

The buggar with this one for me has been that the client has previously ran the free version of HitmanPro, and so it couldn't be used to remove the infection. This left me with other AV tools, which have not seemed to work as well.Ultimately all PE/Rescue CD's have failed to solve the issue. This is a fun one! Going to really hammer it today, as I have more time to focus on it.

Most scans will not pick up the FBI infection. Manual removal is best for the main files that are causing the problem and then running scans to clean out any other remnants that are picked up. In particular I'd recommend aswMBR to check that the system's MBR is default and Roguekiller. FBI tends to go hand-in-hand with 0access.

For manual file removal you're looking in the following locations primarily:

In particular you are looking for: Skype.dat, Skype.ini, DisplaySwitch.exe, MigAutoPlay.exe, and any random .exes or .sys files as there really should not be any of those file types in those locations.

You can also use Autoruns to analyze the Offline system and then you'll generally be able to see the suspicious entry to track it down and remove it.

Also, some variants will change the HKCU\Software\Microsoft\Currentversion\Winlogon\ shell key from "explorer.exe" to "cmd.exe" or point to its own files.

The reg key you mentioned absolutely was changed, and the d7 Malware Scanner found that quick enough and allowed me to alter it.

I'm still trying to fix some basic Windows 7 behavior though, and keep getting drawn away from working on the laptop. It won't assign removable media a drive letter (I have enabled/disabled disk auto mounting, etc, no dice.). Same effect in Safe-Mode. I will report back with details when I can.

Hitman Pro kickstart can detect the FBI virus. Just needs to be updated regularly (recreating the kickstart). Something is different between updating hitman itself and copying to the drive vs letting hitman create the kickstart with updated ones.

techw13 wrote:Hitman Pro kickstart can detect the FBI virus. Just needs to be updated regularly (recreating the kickstart). Something is different between updating hitman itself and copying to the drive vs letting hitman create the kickstart with updated ones.

You still need a valid license, whether that be free or not. HMWMCT was saying that the free license had already been used, so you can't use it again without paying for it.